[Samba] various DNS scenarios / setups with samba4 + BIND9

Wed Mar 6 11:35:13 MST 2013

Hello everybody,

I am not sure which DNS setup will fit best for my suites. I can imagine,
that there are a lot of users out there using also BIND9 servers in their
environment and can share their experience. In my case I am running
following setup:

I have two existing hosts running with DNS and DHCP services. I have setup a
DHCP-Cluster with isc-dhcp-server on both machines, that means I have a
redundant DHCP-service by this setup. One of the hosts run BIND9 as a master
server, while the other host is my slave. He polls and receives updates from
the master. It's a classical setup I use.
Both machines running Debian GNU/Linux Squeeze and have BIND9 installed.

Here's the output and more details about the BIND9 version which is
installed:

# named -V
BIND 9.7.3 built with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes'
'--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes'
'--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing
-DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS='

As many of you Debian Squeeze users out there know, BIND 9.7.3 is the latest
stable package in Debian Squeeze stable repository. The only way to have a
newer version installed, would be either to use apt-pinning (which is very
dangerous and can mess up your system if you don't know what you are
doing!), downloading a package which was built by someone else (Ubuntu has
some as I have red on samba4's wiki?) or you package your own version on
your system (which I have done already). So I have compiled and built the
version BIND 9.8.4.dfsg.P1-5 on one of these two host. I have the .deb
package therefore and would be able to install it any time in case I need.
Actually I have not installed this 9.8.4 version yet. So let's continue ...

Hostname  = MASTER
-----------------------------
IP =  172.16.1.22

/etc/resolv.conf: 
domain mycompany.com
search mycompany.com dhcp.mycompany.com
nameserver 172.16.1.22
nameserver 172.16.1.23

Hostname: SLAVE
------------------------
IP: 172.16.1.23

content of /etc/resolv.conf is: 
domain mycompany.com
search mycompany.com dhcp.mycompany.com
nameserver 172.16.1.23
nameserver 172.16.1.22

Now let's look at the new samba4 which comes into the game. Samba4 was
configured by tarball source version 4.0.3 with "./configure
--enable-selftest --with-quotas --with-acl-support --with-syslog" and
installed. I did a "samba-tool domain classicupgrade
--dbdir=/etc/samba3files --use-xattrs=yes --realm=ad.mycompany.com
/etc/samba3files/smb.conf -d3 2>&1 |tee /root/classicupgrade.log". As I did
not specify and further options, the internal DNS server was used as it is
default choice for DNS when nothing else specified. My intension was that I
want samba4 to be a different DNS zone, independend of the rest of my
network (MASTER+SLAVE). Samba4 should only host and server everything
related to Active Directory stuff. But first here's the config of samba4
server

Hostname:SAMBA4
-------------------------
IP: 172.16.1.24
OS: Debian Squeeze GNU/Linux

content of /etc/resolv.conf is: 
domain ad.mycompany.com
search ad.mycompany.com
nameserver 172.16.1.24

Well, now let's look deeper in detail what happens when a client is turned
on. The windows machine is booting, and he gets via DHCP an IP from either
MASTER or SLAVE, as these two hosts are responsible for DHCP services. This
DHCP-lease also includes the DNS nameserver which points to 172.16.1.22 and
172.16.1.23. That means, all my DHCP-clients always use 172.16.1.22 as DNS,
and only if the cannot reach MASTER, they will fall-back to 172.16.1.23
which is the SLAVE. Now I have to tell somehow my BIND9 servers to forward
all AD-related requests to samba4 server. That is easily done with this
entry in my bind9 configuration (at master+slave):

[...]
zone "ad.mycompany.com" {
type forward;
forwarders { 172.16.1.24 };
};
[...]

So I did a clean separation by creating an own zone with name
"ad.mycompany.com" (which is also my samba4 AD realm) and put a forwarder
for hat zone. What happens if a client tries to resolve
somehost.ad.mycompany.com? He first connects to the master (172.16.1.22),
and querying the BIND9 service for "somehost.ad.mycompany.com". Bind9 server
immediately forwards this request to samba4 server at 172.16.1.24, which
will replies to this request and sent the correct answer back to the windows
client. Of course all the mandatory test examples mentioned on the samba4 AD
HowTo work fine, too, when executed on MASTER, SLAVE or any other DHCP linux
host on the net:

"host -t SRV _ldap._tcp.ad.mycompany.com." returns -->
_ldap._tcp.ad.mycompany.com has SRV record 0 100 389
samba4.ad.mycompany.com.
"host -t SRV _kerberos._udp.ad.mycompany.com." returns -->
_kerberos._udp.ad.mycompany.com has SRV record 0 100 88
samba4.ad.mycompany.com.
"host -t A samba.ad.mycompany.com." returns --> samba4.ad.mycompany.com has
address 172.16.1.24

That's nice, because every request for a query with suffix ad.mycompany.com
is made on my network, it will be forwarded and answered at samba4 server
(172.16.1.24). But my big question is:

Is that enough to have samba4 working correctly with my clients? As you see
on this example, all my hosts (static and dynamic updated DHCP-clients) are
only known by my existing BIND9 servers (master+slave). If I would join a
new windows machine (hostname=example) to AD/samba4, then it'll register on
samba4's internal DNS server as example.ad.mycompany.com, right? Will that
cause problems, as only new joined machines will appear in samba4's internal
DNS server? I am not sure about this setup and would like to get feedback
from the pro's.

Thanks a lot for reading and sorry fort he long text, but as more details as
better to understand :)

Cheers,
Lucas (local in IRC))